Computer Science Review 29 (2018) 44–55

Contents lists available at ScienceDirect

Computer Science Review

journal homepage: www.elsevier.com/locate/cosrev

A recent review of conventional vs. automated cybersecurity

anti-phishing techniques
Issa Qabajeh b , Fadi Thabtah a, *, Francisco Chiclana b
a
Digital Technology Department, Manukau Institute of Technology, Auckland, New Zealand
b
Centre for Computational Intelligence, De Montfort University, Leicester, UK

article info a b s t r a c t
Article history: In the era of electronic and mobile commerce, massive numbers of financial transactions are conducted
Received 12 September 2017 online on daily basis, which created potential fraudulent opportunities. A common fraudulent activity
Received in revised form 23 May 2018 that involves creating a replica of a trustful website to deceive users and illegally obtain their credentials
Accepted 28 May 2018
is website phishing. Website phishing is a serious online fraud, costing banks, online users, governments,
and other organisations severe financial damages. One conventional approach to combat phishing is to
raise awareness and educate novice users on the different tactics utilised by phishers by conducting
Keywords:
Classification periodic training or workshops. However, this approach has been criticised of being not cost effective
Computer security as phishing tactics are constantly changing besides it may require high operational cost. Another anti-
Phishing phishing approach is to legislate or amend existing cyber security laws that persecute online fraudsters
Machine learning without minimising its severity. A more promising anti-phishing approach is to prevent phishing attacks
Web security using intelligent machine learning (ML) technology. Using this technology, a classification system is
Security awareness integrated in the browser in which it will detect phishing activities and communicate these with the end
user. This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing
approaches. More importantly, ways to combat phishing by intelligent and conventional are highlighted,
besides revealing these approaches differences, similarities and positive and negative aspects from the
user and performance prospective. Different stakeholders such as computer security experts, researchers
in web security as well as business owners may likely benefit from this review on website phishing.
© 2018 Elsevier Inc. All rights reserved.

Contents

1. Introduction......................................................................................................................................................................................................................... 45
2. Phishing background .......................................................................................................................................................................................................... 45
2.1. Phishing history...................................................................................................................................................................................................... 45
2.2. Phishing process ..................................................................................................................................................................................................... 46
2.3. Phishing as a classification problem ..................................................................................................................................................................... 46
3. Common traditional anti-phishing methods .................................................................................................................................................................... 47
3.1. Legal anti-phishing legislations............................................................................................................................................................................. 47
3.2. Simulated training.................................................................................................................................................................................................. 48
3.3. User experience: Anti-phishing online communities.......................................................................................................................................... 48
3.4. Discussion non intelligent anti-phishing solutions ............................................................................................................................................. 48
4. Computerised anti-phishing techniques ........................................................................................................................................................................... 49
4.1. Databases (blacklist and whitelist) ....................................................................................................................................................................... 49
4.2. Intelligent anti-phishing techniques based on ML .............................................................................................................................................. 50
4.2.1. Decision trees and rule induction.......................................................................................................................................................... 50
4.2.2. Associative classification (AC)................................................................................................................................................................ 51
4.2.3. Neural network (NN) .............................................................................................................................................................................. 51
4.2.4. Support vector machine (SVM).............................................................................................................................................................. 52
4.2.5. Fuzzy logic ............................................................................................................................................................................................... 52
4.2.6. CANTINA term frequency inverse document frequency approach ..................................................................................................... 52

* Corresponding author.
E-mail addresses: P12047781@myemail.dmu.ac.uk (I. Qabajeh), fadi.fayez@manukau.ac.nz (F. Thabtah), chiclana@dmu.ac.uk (F. Chiclana).

https://doi.org/10.1016/j.cosrev.2018.05.003
1574-0137/© 2018 Elsevier Inc. All rights reserved.
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
5. Conclusions.......................................................................................................................................................................................................................... 53
References ........................................................................................................................................................................................................................... 53
1. Introduction
With the advanced development of computer hardware, espe-
cially computer networks and cloud technology services, online
and mobile commerce have significantly increased in the last few
years [1]. Indeed, the number of customers who perform online
purchase transactions has dramatically increased and large mon-
etary values are daily exchanged through electronic means, such
as private payment gateways, that are usually verified by secure
socket layer (SSL) [2]. Despite the convenience associated with
online transactions from both user and business prospectives, an
online threat has emerged: phishing.
Phishing attacks are attempts to access online users’ sensitive
financial information using fake websites that are visually similar
to authentic websites [3]. In phishing attacks, social engineering
techniques are normally utilised to redirected users to the mali-
cious website. Specifically, an email is sent to users from apparent
trustworthy sources, urging them to adjust their login information
by clicking/following a hyper link [4]. Phishing techniques include
spear phishing, which is a focused attack in which emails are sent
to employees of a business in an attempt to access a company’s
computer system, or whaling, that targets senior corporate exec-
utives [5]. Unfortunately, the consequences of phishing are fatal
because affected legitimate users become vulnerable to identity
theft and information breach and no longer trust online commerce
and electronic banking [6]. For instance, Gartner Group [7] pub-
lishes periodic reports that revealed financial damages caused by
phishing attacks. In addition, to raise awareness about phishing
an international body that aims to minimise online threats includ-
ing pharming, spoofing, phishing and malware, the Anti-Phishing
Work Group (APWG), was created [8]. APWG periodically dissem-
inates reports for the online community on recent cyber-attacks,
with a recent report stating the rapid increase of phishing websites
to 17,000 in the month of December 2014 alone [9]. A recent
report published by APWG revealed that there were approximately
1,220,523 phishing attacks in 2016.
It seems imperative that users, as well as businesses, adopt re-
newable anti-phishing tools or strategies to reduce phishing activi-
ties and protect themselves from their potential negative impacts.
This is important because phishing attacks are constantly chang-
ing and new deceptions are emerging all the time. Anti-phishing
solutions adopting DM (ML) are shown to be more practical and
effective in combating phishing because they work automatically
and are capable of revealing concealed knowledge that online users
are not aware of, especially with respect to the relationship among
website features and phishing activities. This hidden knowledge,
when combined with human experience, can result in an effective
shield for protecting users from phishing (add a reference).
In this paper, we investigate the phishing problem and de-
fine it in a classification ML context. We then discuss common,
traditional, strategies in addition to computerised techniques de-
veloped to combat phishing. More importantly, the paper thor-
oughly investigates traditional and ML anti-phishing classification
techniques and critically analyses their benefits and disadvantages
theoretically. There have been few former reviews on phishing
such as Suganya [10], Mohammad et al. [11,12], Sahu and Dubey
[13], Almomani et al. [14] and Basnet et al. [15] among others.
For instance, Almomani et al. [14] reviewed a number of filtering
techniques to combat phishing. The authors have focused only
on technical solutions of detecting phishing emails by reviewing
techniques related to Bag of Words, frequency analysis, blacklists,
45
support vector machines and other artificial intelligence search
methods. Little information concerning non-technical solution
were provided. Instead, the authors paid full attention to review
automated solutions that can be integrated within email systems
to detect phishing attacks. Lastly, the authors reported different
disseminated research results in a table format to show the per-
formance of various different machine learning techniques against
email phishing data. However, it will be hard to generalise such
performance due to the fact that these results have been derived
from datasets with different characteristics. Overall, the survey
provided was insightful and it provide rich information to users
in order to reduce the chance of falling into email phishing attacks.
Gupta et al. [16] reviewed different types of phishing attacks
and then discussed a number of anti-phishing approaches includ-
ing social engineering ones. More importantly, the authors showed
features related to phishing attacks that have been collected from
previous research works including [14,17,18] and [32] among oth-
ers. Lastly, the authors highlighted emergent trends in phishing
and modern technologies such as the Internet of Things. Gupta et
al. [19] highlighted recent challenges and new emergent trends
in phishing attacks. The focus of the researcher was on the new
technology of the Intent of Things and spear phishing. The authors
also discussed recent phishing datasets and their features.
Most of phishing reviews have covered partly one or more of
phishing aspects. For instance, Suganya [10] and Sahu and Dubey
[13] briefly reviewed phishing attacks without showing the ways
to combat them or their pros and cons. Mohammad et al. [11,12]
discussed in general common solutions of website phishing with-
out providing grounds for recommendations besides not covering
specific intelligent approaches. Almomani et al. [14] reviewed in-
telligent solutions to detect phishing emails. Lastly, Basnet et al.
[15] compared only few intelligent anti-phishing solutions without
on elaborating the other computerised and classic approaches of
anti-phishing. Therefore, this article not only comprehensively
reviews phishing from wider prospective but also it critically anal-
yses traditional and automated anti-phishing solutions.
This paper serves researchers, organisations’ managers, com-
puter security experts, lecturers, and students who are interested
in understanding phishing and its corresponding intelligent solu-
tions. This is since wider potential solutions have been critically
analysed and experimentally compared besides presenting classic
solutions including educational, legal, and software based. This
paper is structured as follows: Section 2 presents the phishing
problem, its history, and its lifecycle. Section 3 critically analyses
common classic methods of combating phishing besides critically
analysing them. Section 4 is devoted to intelligent anti-phishing
solutions that employ different strategies in deriving the anti-
phishing models. Section 5 provides the conclusions.
2. Phishing background
2.1. Phishing history
Phishing comes from the word ‘‘fishing’’, in which the phisher
throws a bait and awaits for potential users to take a bite. Phishing
is not recent as an online risk, with its origin rooted in a social en-
gineering method using telephones known as ‘‘phone phreaking’’
[20]. It was during the 1990s period when the internet community
started to grow that phishing was originally observed as an online
threat, especially in the United States [15].
46 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
Fig. 1. Example of an early phishing attack (Blogonlymyemail.com).
According to McFredies [21], the first phishing incident was
noticed in the mid-1990s when phishers attempted to obtain regis-
tered online users’ account information from the internet provider
America Online (AOL). Phishers during this era frequently utilised
instant messages (IM) in AOL chat rooms or emails to reach users
so that they would reveal their passwords (Fig. 1 illustrates an
example of an early phishing attack), which were subsequently
used by phishers to leverage the victims’ accounts and begin email-
ing spam to other online users. Obviously, phishers realised that
they could further trick victims if the IMs and emails requested
them to update their billing information. With this realisation, the
attackers expanded their aim and using the same electronic means
(IMs and emails) attempted to access other financial information
from victims such as social security numbers, addresses, credit card
information, etc.
One of the most common beliefs that ordinary users have about
phishing websites is that grammatical errors and typos are typical
within these websites [20]. This has misled users into believing
that a website without grammatical errors must be trustworthy,
which has proven not necessarily be true. Phishers in today’s
cyber world become more innovative and work systematically in
groups sometimes even orchestrating phishing campaigns moti-
vated by potential financial gains. In fact, phishers are continuously
changing their spoofing methods based on the counterpart security
measures taken by organisations, and recently they have directed
their attention to the mobile commerce platform. This means that
the profile of phishers has changed from egocentric purposes into
more organised and serious cybercrime that keeps evolving, which
makes it hard to detect.
2.2. Phishing process
Phishing attacks are initiated through an email sent to potential
users. Other ways a phisher may start an attack include Instant
Messaging, online blogs and forums, short message services, peer
to peer file sharing services, and social media websites [18]. We
can summarise the phishing lifecycle as follows (see Fig. 2):
(1) A link is sent using one of the aforementioned channels to
potential victims.
(2) When clicked, the link will redirect potential victims to a
malicious website.
(3) Users become vulnerable as they try to login using their
credentials on the malicious website.
(4) Login credentials are then transferred to a server, or a key
logger is installed into the user’s computing device.
(5) The phisher can then utilise the credentials to perform ad-
ditional cybercrimes.
2.3. Phishing as a classification problem
Generally speaking, websites can be classified by hand-crafted
methods based on certain features such as URL length, pre-
fix_suffix, domain, sub_domain, etc. Initially, scholars in the area of
online security [22,23] developed different knowledge bases using
their experience and expertise to distinguish phishing from legit-
imate websites. Recently, there have been studies and proposals
aiming at deriving intelligent rules to detect the fine line between
legitimate and phishing websites using statistical analysis [18,24,
25]. For instance, Aburrous et al. [26] and Mohammad et al. [25]
defined a number of hand crafted rules based on various website
features using simple statistical analysis on websites (instances)
collected from different sources including Phishtank and Yahoo
directory [27]. More advanced decision rules have been developed
in [18] in which the authors used further statistical analysis on a
larger phishing dataset collected from varying sources.
ML and DM have proved to be powerful data analysis tools
in many application domains such as medical diagnosis, market
basket analysis, weather forecasting and events processing, to cite
some [1]. This is due to the fact that ML and DM techniques usually
reveal concealed meaningful information from large datasets so
they can be utilised in management decisions related to develop-
ment, planning, and risk management. Generally speaking, ML and
DM can be seen as an automated and intelligent tool embedded
within management information systems to guide decision making
processes in both business and scientific domains. Common tasks
or problems that ML and DM handle are clustering, association rule
discovery, regression analysis, classification, pattern recognition,
time series analysis, trends analysis, and multi-label learning [3,
28].
One of the frequent task of ML is the forecasting of a target
variable within datasets based on other available variables [28].
This forecasting process occurs in an automated manner using a
classification model, normally named the classifier, that is derived
from a labelled training dataset. The goal of the classifier is to
‘‘guess’’ the value of the target variable in unseen data, referred to
as the test dataset, as accurately as possible. This task description
falls under the umbrella of supervised learning and is known as
classification. Abdelhamid and Thabtah [1] defined classification
as the ability to ‘‘accurately’’ predict class attributes for a test
instance using a predictive model derived from a training dataset.
Since the problem of website phishing involves automatic cat-
egorisation of websites into a predefined set of class values (legit-
imate, suspicious, phishy) based on a number of available features
(variables) then this problem can be considered a classification
problem. To be more specific, the training dataset will consist of
a set of predefined features and the class attribute and instances
are basically the websites’ feature values. These instances can be
extracted from different sources such as Phishtank and online
directories. The aim will be to build an anti-phishing classifier that
can predict the type of website based on hidden knowledge dis-
covered from the training set features during the data processing
phase. Usually the goodness of the classifier is measured using
accuracy, which primarily relies on the correlations of the features
and the class [29]. Fig. 3 shows phishing as a classification problem
from the ML prospective. As discussed before, phishing websites
are dynamics and consequently it can modelled as a dynamic
supervised learning classification problem. Therefore, an effective
anti-phishing classifier should be adaptable to any new features
observed in order to handle and manage the dynamic nature of the
problem.
In this review paper, we focus on content based methods that
fall under website phishing attacks as shown in Fig. 4. We omit
non-content based methods such as domain popularity, restricted
from filing, DSN based features, water marking, one time password,
layout similarity and crowd sourcing among others. Also email
finishing techniques are omitted from the graph since they are out
of scope.
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
Fig. 2. Phishing life cycle [18].
Fig. 3. Website phishing as a classification process.
3. Common traditional anti-phishing methods
Since phishing causes serious breaching of user confidentiality,
as well as organisations including government agencies, there
have been different methods proposed to combat phishing. These
approaches can be categorised into three main categories:
• Education and legal
• Computerised using human-crafted methods
• Intelligent ML methods.
In this section, we examine the literature on phishing and critically
analyse different techniques based on the above categories. Focus,
however, will be on the intelligent anti-phishing solutions since
it is believed to be the way forward in shielding the web from
phishing threats and promising results have recently been derived
by this category in [6,30–33], [2,4], among others.
3.1. Legal anti-phishing legislations
Governments have been slow in responding and opposing
started to oppose phishing. California State in the US was the first to
issue anti-phishing legislation in 2005 [34]. This legislation stated
that it is unlawful to use any electronic means such as websites,
47
Fig. 4. Taxonomy of website phishing approaches.
emails, or any other methods to ask or solicit information from on-
line users by claiming ones self as a business without the authority
of that business. Other US States such as Texas have also introduced
new cybercrime legislations that include phishing, and in 2005 the
General Assembly of Virginia added phishing attacks to their list
of computer crimes [35]. These new laws empowered companies
such as America Online to file lawsuits in Virginia against phishers
in 2006 [36]. However, most states in US have not legislated spe-
cific laws incriminating phishing and usually prosecute phishers
using other computing crime laws such as fraud.
At Federal level in US, lawmakers and congressional repre-
sentatives have not passed anti-phishing legislation either. There
were a few attempts between 2004 and 2006 following the Anti-
Phishing Act of 2004 to pass specific bills incriminating phishing
48 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
and instigating tougher prison sentences, but these bills were
stopped at the committee level in Congress. Nevertheless, federal
law enforcement can incriminate phishers using other laws that
are related to identity theft and fraud such as ‘‘18 U.S.C. section
1028’’ [36]. Businesses have also joined the Government in fighting
phishing. For example, in 2005 Microsoft filed over 115 lawsuits
in Washington’s Western District Court accusing a single Internet
user of utilising various deceptive methods to access some of
the company’s users’ information (add reference). In mid-2006,
the then president George W. Bush established a new cybercrime
identity theft task force [37], with a single goal: reduce the risks of
cybercrime, especially phishing.
The United Kingdom (UK) has followed the US by strengthening
its legal system against severe cybercrimes, including fraud and
identity theft. In 2006, the UK introduced the new Fraud Act,
which increased prison sentences to up to ten-years for online
fraud offences [38]. This same act prevents possession of a phishing
website with the intent to deceive users and commit fraud. Fur-
ther, Microsoft decided to collaborate with other law enforcement
agencies outside US to bring justice to phishers. In doing so, the
company signed an agreement with the Australian government to
train law enforcement agents in preventing phishing [39]. Also,
in 2010 Canada introduced an Anti-spam Act that incriminates
cybercrime and that aims to protect Canadian online consumers
and businesses when globally trading [40].
3.2. Simulated training
One of the easy, yet helpful, policies to oppose cybercrimes is
to educate users on the ways employed to access their informa-
tion. When novice users are aware of the circumstances around
phishing, they may be able to minimise this risk or stop it as
early as possible. Unfortunately, ordinary web browsing users are
unaware of how phishing attacks start or how visually to recog-
nise an untruthful website and differentiate it from one that is
trustworthy [11,12]. Moreover, basic security indicators and anti-
phishing software counterparts are still vague for many online
shoppers [24]. Subsequently, these increase the pace of phishing
and motivate phishers to launch further attacks. For instance, a
security survey was conducted by Julie et al. [41], which revealed
the lack of knowledge on cybercrimes, including phishing, held by
online users. In addition, some respondents in the survey showed
security awareness yet were reluctant in using their financial infor-
mation for payment purposes, even within trustworthy websites.
There have been a number of studies on educating people as
to the severity of phishing. For example, Arachchilage and Love
[42] investigated whether mobile games can be a helpful method
for raising awareness of phishing attacks. The authors evaluated
learning curves of users who played with a mobile game about
phishing developed by Arachchilage and Cole [43], and assessed
whether an interactive mobile platform is effective in educating
users in contrast to traditional security training. A comparison of
user responsiveness to phishing has also been conducted using the
developed mobile game, along with a website designed by APWG.
The results showed that users who played the anti-phishing mobile
game were able to spot non-genuine websites with a higher rate of
accuracy than other users who only used the APWG website.
There are a number of organisations and research studies, such
as Arachchilage et al. [44] and Ronald et al. [45], that have adopted
a relative training to warn users of phishing. This training involves
sending participants simulated malicious emails from a genuine
source to evaluate their exposure to phishing. At the end of the
training, participants are given the training material and informed
about their vulnerability to phishing.
Embedded training is another way to measure a users’ vul-
nerability to phishing. This training often mimics primary daily
business processes performed by employees by experimenting to
measure a certain outcome Arachchilage and Love [42]. In phish-
ing, the authors of Arachchilage et al. [44] used the embedded
training methodology to measure phishing awareness at a uni-
versity. The authors sent malicious emails from the administrator
to participants without informing them of the training material
content. These emails urged users to click on a link that would
redirect them to a malicious website where they would input
their login credentials. This aim was directed at identifying the
number of users who would actually click on the link. During
the experiment, the user was interrupted immediately when he
clicked the link and was then provided with the training material.
The embedded training proposed by the authors was based on a
preliminary pilot study conducted by them on a limited number of
university students.
3.3. User experience: Anti-phishing online communities
One of the approaches to reducing the impact of phishing on
online users and organisations is to build an anti-phishing commu-
nity to monitor recent phishing activities and provide news to the
different stakeholders. Users’ experiences are practical and based
on real cases related to different types of phishing. Such efforts
by users and organisations have resulted in new proactive online
communities and data repositories. These accumulated and useful
resources are of interest since they can be employed to study ways
to make the Internet safer and free from phishing.
The Monitoring and Takedown (MaT) approach enables individ-
uals who recognise phishing activity to report it via public anti-
phishing communities including APWG, PhishTank, Millersmiles,
and Symantec among others [8,27,46,47]. These anti-phishing
communities allow users to report phishing content and warn
other users and organisations as well. Users can also report phish-
ing content to the Federal Trade Commission’s Complaint Depart-
ment, becoming directly part of the campaign towards combating
phishing. Many reputable companies also have an internet fraud
department that allows users to report any fraudulent or suspi-
cious activity such as phishing. PhishTank was created in 2003 as
a subsidiary of OpenDNS in order to provide the parent company,
as well as the online community, with a phishing repository. This
large collection of stored phishing websites has given computer
security experts, users, researchers and business owners’ exten-
sive information about phishing attacks and the features of their
associated emails and websites. Another example of a good use of
user experiences is Cloudmark, which is an alerting-based anti-
phishing method with user rating system [48]. When a user is
visiting a website and experiencing any kind of threat, they can
then rate that website to alert other online users. Finally, Web
of Trust (WOT) is another example of an anti-phishing approach
based on the user feedback rating model [49].
3.4. Discussion non intelligent anti-phishing solutions
Legislators in the US, UK and Canada, among others countries,
have approved legislative bills that include serious jail sentences
for incriminated phishers. This has been made clear in several high
profile cases, especially in the US. Nevertheless, these legislative
bills have not achieved a decrease of phishing attacks. On the
contrary, phishing has now become more severe than ever and
businesses as well as individual users have suffered from sub-
stantial financial losses as a result. One of the primary reasons
for legal actions not to be as effective as expected in minimising
phishing is due to the fact that often a phishing website has a short
life span (normally about two days), which helps the phisher to
disappear quickly once the fraud has been committed, making law
enforcement difficult.
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
As previously mentioned, raising awareness of phishing risks
and educating users has shown promising initial results [45]. Com-
puter security scholars have adopted different ways to disseminate
the seriousness phishing may cause to society, with [8,27] using
web-based material to teach novice users phishing fraud tech-
niques; while others, such as Arachchilage et al. [44], developing
contextual and embedded trainings based on simulated phishing
emails coming from genuine sources; or educational material on
phishing based on mobile games in order to increase the motiva-
tion factor among [42].
Even though educating users may positively affect the global ef-
forts of combating phishing, this approach demands high costs and
requires users to be equipped with computer security knowledge.
Large organisations and governments are periodically investing in
the development of anti-phishing materials in both hard and soft
forms as well as websites and mobile applications. However, since
phishing techniques keep changing/evolving, small to medium
enterprises might not have the resources large organisations have
to enable them to invest in their users’ education. Therefore, a
large portion of the online community realistically cannot afford
the continuous additional costs to keep updating current anti-
phishing material. Furthermore, phishing techniques are becoming
more sophisticated because of the group efforts of phishers who
employ systematic attack strategies, which make it harder for even
security experts and specialised law enforcement agents to keep
their skills updated. This makes ordinary users vulnerable, even if
they were equipped with basic knowledge about phishing. Thus,
more advanced, cheaper and intelligent approaches are needed for
their implementation both within educational and legislative solu-
tions to further reduce phishing attacks. We have seen thoughtful
attempts that evolved from user experiences, user ratings, and
users’ social networking (such as Phishtank, Cloudmark, and APWG
among others helping novice users and enterprises avoid falling
prey to phishing). Effectiveness of these user community based
approaches relies mainly on the following factors: (1) User experi-
ence; (2) User knowledge; (3) User honesty; and (4) Accessibility
and validity of the user community’s website data. Unfortunately,
these factors are difficult to measure and validate, thus relying
on user experience and knowledge alone necessitates careful care
and accuracy. We hypothesise that by ‘‘only’’ considering users’
experience in judging a websites’ legitimacy is not enough to
combat phishing, although it can be a supporting approach to a
more advanced intelligent solution based on ML/DM.
4. Computerised anti-phishing techniques
There has been development of anti-spam software tools that
can block suspicious emails, however, these programmes con-
stantly block a large number of genuine emails and classify them
as junk emails [11,12]. Emails misclassified as spam are simply
false positive instances. Thus, one of the ultimate goals of the
computerised anti-phishing tool is to reduce false positives and
increase true positives so users can be confident of their mailbox’s
filter results without having to manually check their junk email
folder.
4.1. Databases (blacklist and whitelist)
A database driven approach to fight phishing, called black-
list, was developed by several research projects [2,50,51]). This
approach is based on using a predefined list containing domain
names or URLs for websites that have been recognised as harm-
ful. A blacklisted website may lose up to 95% of its usual traffic,
which will hinder the website’s revenue capacity and eventually
profit [23]. This is the primary reason that web masters and web
administrators give great attention to the problem of blacklisting.
According to Mohammad et al. [11,12], there are two types of
blacklists in computer security:
49
• Domain/URL Based. These are real time URL lists that con-
tain malicious domain names and normally look for spam
URLs within the body of emails.
• Internet Protocol Based. These are real time URL or domain
server blacklists that contain IP addresses who, in real-time,
change their status. Often, mailbox providers, such as Ya-
hoo for example, check domain server blacklists to evaluate
whether the sending server (source) is run by someone who
allows other users to send from their own source.
Users, businesses, or computer software enterprises can create
blacklists. Whenever a website is about to be browsed, the browser
checks the URL in the blacklist. If the URL exists in the blacklist,
a certain action is taken to warn the user of the possibility of a
security breach. Otherwise, no action will be taken as the web-
site’s URL is not recognised as harmful. Currently, there are a few
hundred blacklists which are publically available, among which
we can mention the ATLAS blacklist from Arbor Networks, BLADE
Malicious URL Analysis, DGA list, CYMRU Bogon list, Scumware.org
list, OpenPhish list, Google blacklist, and Microsoft blacklist [52].
Since any user or small to large organisation can create blacklists,
the currently public available blacklists have different levels of
security effectiveness, particularly with respect to two factors:
1. Times the blacklist gets updated and its consistent availabil-
ity.
2. Results quality with respect to accurate phishing detection
rate.
Marketers, users, and businesses tend to use Google and Mi-
crosoft blacklists when compared with other publically available
blacklists commonly use because of their lower false positive rates.
A study by [2] analysing blacklists concluded that they contain on
average 47% to 83% phishing websites.
Blacklists often are stored on servers, but can also be available
locally in a computer machine as well [25]. Thus, the process
of checking whether a URL is part of the blacklist is executed
whenever a website is about to be visited by the user, in which
case the server or local machine uses a particular search method to
verify the process and derive an action. The blacklist usually gets
updated periodically. For example, Microsoft blacklist is normally
updated every nine hours to six days, whereas Google blacklist
gets updated every twenty hours to twelve days [11,12]. Hence,
the time window needed to amend the blacklist by including new
malicious URLs, or excluding a possible false positive URLs, may
allow phishers to launch and succeed in their phishing attacks. In
other words, phishers have significant time to initiate a phishing
attack before their websites get blocked This is an obvious limita-
tion of using the blacklist approach in tracking false websites [18].
Another study by APWG revealed that over 75% of phishing do-
mains have been genuinely serving legitimate websites and when
blocked imply that several trustworthy websites will be added
to the blacklist, which causes a drastic reduction in the website’s
revenue and hinder its reputation [9].
After the creation of blacklists, many automated anti-phishing
tools normally used by software companies such as McAfee,
Google, Microsoft, were proposed. For instance, The Anti-Phishing
Explorer 9, McAfee Site Advisor, and Google Safe Base are three
common anti-phishing tools based on the blacklist approach.
Moreover, companies such as VeriSign developed anti-phishing
internet crawlers that gather massive numbers of websites to iden-
tify clones in order to assist in differentiating between legitimate
and phishing websites.
There have been some attempts to look into creating whitelists,
i.e. legitimate URL databases, in contrast to blacklists [53]. Unfor-
tunately, since the majority of newly created websites are initially
identified as ‘‘suspicious’’, this creates a burden on the whitelist
50 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
approach. To overcome this issue, the websites expected to be
visited by the user should exist in the whitelist. This is sometimes
problematic in practise because of the large number of possible
websites that a user might browse. The whitelist approach is sim-
ply impractical since ‘‘knowing’’ in advance what users might be
browsing for might be different to those actually visited during the
browsing process. Human decision is a dynamic process and often
users change their mind and start browsing new websites that they
initially never intended to.
One of the early developed whitelist was proposed by Chen and
Guo [53], which was based on users’ browsing trusted websites.
The whitelist monitors the user’s login attempts and if a repeated
login was successfully executed this method prompts the user to
insert that website into the whitelist. One clear limitation of Chen
and Guo’s method is that it assumes that users are dealing with
trustful websites, which unfortunately is not always case.
Phishzoo is another whitelist technique developed by Afroz and
Greenstadt [5]. This technique constructs a website profile using
a fuzzy hashing approach in which the website is represented by
several criteria that differentiate one website from another includ-
ing images, HTML source code, URL, and SSL certificate. Phishzoo
works as follows:
1. When the user browses a new website, PhishZoo makes a
specific profile for that website.
2. The new website’s profile is contrasted with existing profiles
in the PhishZoo whitelist.
• If a full match is found, the newly browsed website is
marked trustful.
• If partly matching, then the website will not be added
since it is suspicious
• If no match is found but the SSL certificate is matched,
PhishZoo will instantly amend the existing profile in
the whitelist.
• If no match is found, then a new profile will be created
for the website in the whitelist.
Recently, Lee et al. [31] investigated the personal security im-
ages whitelist approach and its impact on internet banking users’
security. The authors utilised 482 users to conduct a pilot study
on a simulated bank website. The results revealed that over 70%
of the users during the simulated experiments had given their
login credentials despite their personal security image test not
being performed. Results also revealed that novice users do not pay
high levels of attention to the use of personal images in ebanking,
which can be seen as a possible shortcoming for this anti-phishing
approach.
4.2. Intelligent anti-phishing techniques based on ML
Since phishing is a typical classification problem, ML and DM
techniques seem appropriate for deriving knowledge from website
features that can assist in minimising the problem. The key to
success in developing automated anti-phishing classification sys-
tems is a website’s feature. Since there are a tremendous number
of features linked with a website, a necessary step to enhance
the predictive system performance is to pre-process the set of
features in order to pick up the ‘‘most’’ effective. Feature effective-
ness can be measured using different computational intelligence
methods such as information gain, correlation analysis, and chi-
square among others [54,55]).
Once an initial features set is chosen, the intelligent algorithm
can be applied on the selected features to come up with the
predictive system. There are many ML and DM algorithms for
classification that have been developed by scholars in the last two
to three decades as covered in Chapter 2. Most of these algorithms
use one of the following major classification approaches in deriving
their predictive systems:
(1) Decision trees (ID3, C4.5 and successors) [56].
(2) Probabilistic models (Naïve Bayes, Bayesian Network and
successors) [57].
(3) Rule-based classification
a. Associative classification (AC)
i. Classification based Association (CBA and succes-
sors) [58].
ii. Classification based on Multiple Association
(CMAR and successors) [59].
iii. Multiclass Classification-based Association
(MCAR and successors) [60].
b. Rule induction such as FOIL, RIPPER and successors
[61].
c. Covering or greedy, such as PRISM [62] and eDRI [29,
30].
(4) Neural Networks (NN) methods and their successors [63].
(5) Support Vector Machine (SVM) [64,65]
(6) Fuzzy Logic (FL) [66]
(7) Boosting and paging methods, and their successors [67].
(8) Search methods such as Genetic Algorithms (GA) [68].
The rest of this section critically analyses intelligent
anti-phishing attempts based on ML. We show how these ap-
proaches derive a classification anti-phishing system along with
their benefits and weaknesses.
4.2.1. Decision trees and rule induction
Fette et al. [69] explored email phishing utilising the C4.5 deci-
sion tree classifier among other methods including Random Forest,
SVM and Naïve Bayes. As a result, a new Random Forest method
called ‘‘Phishing Identification by Learning on Features of Email
Received’’ (PILFER) was developed. Experiments on a set of 860
phishy and 695 ham emails were conducted. Various features for
distinguishing phishing emails identified included: IP URLs, time
of space, HTML messages, number of connections inside the email,
and JavaScript. The authors claim that PILFER can be improved
towards grouping messages by joining all ten features discovered
in the classifier apart from ‘‘Spam filter output’’.
Mohammad et al. [25] investigated a number of rule induction
algorithms on the problem of website phishing classification. The
authors compared RIPPER, C4.5 (Rules), CBA, and PRISM on a secu-
rity dataset they collected containing 2500 instances and 16 fea-
tures. A special hand crafted rule to collect the data was developed
by the authors based on simple statistical analysis performed on
the initial dataset’s features. Experiments of the four rule-based
classification methods showed that there are eight effective fea-
tures that can be employed by the classification algorithm in com-
bating phishing: SSL and HTTPS, Domain-age, Site-traffic, Long-
URL, Request-URL Sub-domain, Multi-sub-domain, Suffix–prefix,
and IP-address.
Khadi and Shinde [5] studied the problem of email-based phish-
ing and proposed a potential solution based on combining a RIPPER
classifier with fuzzy logic. The role of fuzzy logic is to pick the
main features of the email and rank them based on a probability
score. Meanwhile, the role of RIPPER is to automatically use these
features to classify the type of emails as ham or phishy. Two com-
ponents of the email were utilised by Khadi and Shinde: the email
message (spelling errors, embedded link) and URL (IP address,
Length, Long URL, Suffix_Prefix, Crawler URL, Non matching URL).
Moreover, very limited data consisting of just 100 instances from
phishtank was in experiments involving the WEKA software tool.
No comparison with other fuzzy logic or rule-based classifications
was conducted by the authors. Results showed that there are
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
twelve rules generated by RIPPER from the dataset with an 85.4%
prediction rate.
Aburrous et al. [26] investigated rule induction methods to seek
their applicability for categorising websites based on phishing fea-
tures. Website features were initially manually classified into six
criteria as described in an earlier report on phishing by Aburrous
et al. [22]. Using WEKA, a number of experiments with four clas-
sification algorithms (RIPPER, PART, PRISM, C4.5) were conducted
against 1006 instances downloaded from Phishtank. The focus of
the experiments was the classification accuracy of the classifiers
produced. Results revealed that rule induction is a promising ap-
proach because it was able to detect, on average, 83% of phishing
websites. The authors suggested that results obtained could be
further enhanced if a careful feature selection were employed.
4.2.2. Associative classification (AC)
The two AC methods CBA and MCAR have been evaluated on
a Phishtank dataset to seek their applicability in cracking phish-
ing ([58,60], Abourrous et al., 2010b). Abourrous et al. (2010b) used
a dataset consisting of over 1000 instances with 27 different fea-
tures and applied CBA, MCAR, and four other rule-based classifiers
using the WEKA DM tool. The aim was to assist security managers
within organisations by building an intelligent anti-phishing tool
within browsers that can detect phishing as accurately as possible.
Experimental results of the six ML algorithms revealed that AC
methods generated more rules than the rest of the algorithms,
yet had higher predictive classifiers. More specifically, the AC sys-
tems produced showed high correlations among features linked
with three major criteria: URL, Domain Identity, and Encryption.
Nevertheless, the massive number of rules derived by MCAR and
CBA may overwhelm end-users since they might not be able to
control the anti-phishing system. Furthermore, the authors did
not implement the AC rules within a browser to evaluate its real
performance, which does not facilitate measuring the success or
failure of their classification systems.
Recently, more domain specific AC anti-phishing systems have
been created [4,18]. These new models take into account not only
two class values of the phishing problem (legitimate, phishy) but
also considers a harder case to detect: the ‘‘suspicious’’ class label.
Instances that cannot be fully classes as phishy nor as legitimate are
very hard to detect by typical ML algorithms, thus increasing their
false positive rates. Abdelhamid et al. [18] and [4] have therefore
enhanced current intelligent classification systems by including
two distinct advantages: (1) extending the phishing problem to
include suspicious cases, making it more realistic; and (2) propos-
ing a new multi-label learning phase that can discover disjunctive
in addition to conjunctive rules. These additional disjunctive rules
are tossed out by existing AC methods. This new multi-label phase
enhances predictive power and provides more useful knowledge to
the end-user. The authors used a dataset that has 16 features and
over 1500 instances, comparing the performance of their classifiers
with other rule-based classifiers with respect to the knowledge
derived and its accuracy. The authors employed the chi-square
testing method to measure the features goodness and discrim-
inate among features with respect to their impact on phishing.
Processed data results showed high competitive performance of
the new multi-label associative classifiers when compared with
CBA, MCAR, rule induction, and decision trees.
4.2.3. Neural network (NN)
One of the common ways to train a NN is trial and error [32].
However, this methodology has been criticised because of the time
spent to tune the parameters and the requirement of an available
domain expert. Thabtah et al. [30] proposed a NN anti-phishing
model based on self-structuring the classification system rather
than using trial and error. The algorithm proposed by the authors
51
updated several parameters, like the learning rate, in a dynamic
way before adding a new neuron to the hidden layer. The process
of updating these NN features is performed during the building of
the classification model and based on the network environment,
behaviour of the desired error rate, and the computed error rate at
that point. The dynamic NN model was applied to detect phishing
on a large dataset from UCI containing over 11 000 websites [12].
Experiments using different epoch sizes (100, 200, 500, 1000) have
been conducted, and the results obtained exhibited better predic-
tive systems when compared to Bayesian Network and Decision
Trees.
The ANN Back Propagation algorithm [70] was investigated on a
security dataset concerning website phishing by Mohammad et al.
[71]. The authors collected a dataset with over 2000 instances from
different legitimate and phishing sources. Processing the dataset,
they tried to measure the correlation between the features and
target attributes using basic univariate statistical analysis (fre-
quency of features values and the target attribute values). Finally,
they applied the Back Propagation ANN algorithm to derive anti-
phishing models. The results of the study indicated that ANN is a
promising approach for combating phishing, particularly since the
results showed increased accuracy of the models generated from
the Back Propagation algorithm when compared with decision
trees and probabilistic.
Mohammad et al. [32] have developed an anti-phishing NN
model that relies on constantly improving the learned predictive
model based on previous training experiences, Since phishers con-
tinuously update their deception methods, new features become
apparent while others become insignificant. In order to cope with
these changes, the authors proposed a self-structuring NN classi-
fication algorithm that deals with the vitality of phishing features.
The algorithm employs validation data to track the performance of
the constructed network model and make the appropriate decision
based on results obtained against the validation dataset. For in-
stance, when the achieved error against the network is lower than
the minimum achieved error, the algorithm saves the network’s
weights and continues the training process. However, when the
achieved error is larger than the minimum achieved error so far,
the algorithm continues the training process without saving the
weights. Other important network parameters are also updated
when necessary during the building of the classification model
without waiting until the model has been entirely built. Results
obtained against a phishing dataset of thirty features and over
10 000 instances showed that the self-structuring NN model is
able to generate anti-phishing models more accurately than tra-
ditional classification approaches such as C4.5 and probabilistic
approaches.
Recently, a new machine learning technique based on Long
Short Term Memory (LSTM) ANN proposed to deal with spear
phishing posts on social media [72]. The LSTM model was trained
on different posts on social media that were represented as word
vectors. The author enhanced the classification model by using
clustering techniques. Experimental results revealed that the LSTM
ANN classification model is more accurate that manual classifica-
tion and other models obtained from former email attack cam-
paigns.
Feed Forward NN (FFNN) was applied on an email phishing
classification problem by Jameel and George [33]. Basic imple-
mentation of a multilayer FFNN based on Back Propagation was
used to differentiate suspicious from legitimate emails. Eighteen
binary features were extracted from the email (header and HTML
body) and made available as the training dataset attributes. These
features were given values based on human rules developed by
security domain experts. To derive the NN models, 6000 emails
were used. The results obtained showed that FFNN is able to
categorise emails with high speed and with an error rate below
52 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55

2%. However, the authors have not yet embedded their FFNN into Table 1
browsers for live testing. Phishing features per category [22].

In 2007, an experimental study contrasting five ML algorithms Criteria N Phishing indicators

on the problem of classifying emails as ham or suspicious was 1 IP address
conducted by Abu-Nimeh et al. [73]. The authors chose Classi- 2 Abnormal request URL
URL 3 Abnormal URL of anchor
fication and Regression Trees (CART), NN, Random Forests (RF),
4 Abnormal DNS record
Bayesian Additive Regression Trees (BART), and Logistic Regression 5 Abnormal URL
(LR) to measure the most successful approaches in email phish-
1 Using SSL certificate (Padlock Icon)
ing detection. A training dataset consisting of 2889 emails and 2 Certificate authority
43 email’s features was used. To produce the results, the testing Encryption
3 Abnormal cookie
method employed was ten-fold cross validation and the evaluation 4 Distinguished names certificate
measures used were precision, recall, and harmonic mean. Results 1 Redirect pages
revealed that RF achieved a lower error rate while NN generated 2 Straddling attack
the highest error rate among the tested classifiers. Moreover, de- Source code 3 Pharming attack
4 OnMouseOver to hide the Link
spite RF generating the highest predictive classifiers, it derived 5 Server Form Handler (SFH)
the least false positive rate among all contrasted algorithms. The
1 Spelling errors
authors suggested though that more carefully chosen features may 2 Copying website
improve the performance of the anti-phishing email tool. Page style & contents 3 Using forms with Submit button
4 Using pop-ups windows
4.2.4. Support vector machine (SVM) 5 Disabling right-click
Proposed by Pan and Ding [74], the SVM classification method 1 Long URL address
evaluates the discrepancy between a website’s identity, its HTTP 2 Replacing similar char for URL
Web address 3 Adding a prefix or suffix
transactions, and structural features. The anti-phishing solution
4 Using the @ Symbol to confuse
proposed contains two layers: 5 Using hexadecimal char codes
1 Emphasis on security
◦ Website Identity: The set of characters appearing inside the
Human 2 Public generic salutation
domain name. 3 Buying time to access accounts
◦ Structural Features Classifier: Features that are related to
the website identity and HTTP transactions.

Once a new website identity and its structural features are cap-
tured (Abnormal URL, Abnormal anchors, Server Form Handler,
Abnormal certificate in SSL, Abnormal DNS, Abnormal cookies),
then a SVM algorithm is trained on a historical dataset consisting
of the same features in order to derive the new website type.
Experimental results on six features using the proposed SVM
indicated that the first helps towards increasing the detection
rate since malicious websites are not correlated. Furthermore, the
SVM model achieved just over 83% prediction rate, and therefore
more investigation is needed into the feature selection phase by
including other features that could improve the performance of the
classifier.
4.2.5. Fuzzy logic
Phishing in electronic banking (Ebanking) applications has been
investigated by Aburrous et al. [22] utilising Fuzzy Logic. A simu-
lated phishing email was sent by the authors with the help of the
security manager at Jordan Ahli Bank to measure security indica-
tors of phishing among a sample of 120 employees after obtaining
the necessary authorisation (www.ahlionline.com.jo). The email
urged the chosen employees to reactivate their accounts by logging
in because server maintenance conducted the previous two days
required account reactivations. Shocking results were obtained:
37% of the targeted employees submitted their credentials without
investigation, of which 7% were Information Technology employ-
ees. The authors’ goal with the simulated email was to determine
features that users may look for inside the email when they suspect
phishing to be used within a FL system to help in differentiating
types of email.
FL has been used as an anti-phishing model to help classify
websites into legitimate or phishy in [22]. The authors claimed
that FL could be effective in identifying phishing activities because
it provides a simple way of dealing with intervals rather than
specific numeric values. Their proposed FL classification model was
built manually to categorise websites using the six criteria listed
in Table 1. Each of those criteria contains a number of phishing
indicators as described in the same table. Each feature in the
dataset was assigned three possible values by the authors: Phishy,
Genuine, and Doubtful. Limited results indicated that there are two
effective indicators to distinguish phishiness in websites: Domain
Identity and URL.
Almomani et al. [17] proposed a promising solution to deal with
a vital types of email phishing attacks called zero-day. This type of
email phishing attacks involves the utilisation of hosts by attackers
that do not appear inside the blacklists of phishing emails. The
authors developed a detection system that they name phishing
dynamic evolving neural fuzzy framework (PDENF). This system
was able to successfully redflag phishing emails using classification
rules learnt by semi-supervised learning techniques. In particular,
the authors have used clustering to easy the process of classifica-
tion using neural fuzzy technique.
A fuzzy based ANN model was proposed in 2015 by Nguyen
et al. [6] to classify websites based on a smaller set of phishing
features related to the website’s URL (PrimaryDomain, SubDomain,
PathDomain) and its rank (PageRank, AlexaRank, AlexaReputa-
tion). The proposed fuzzy ANN model does not use any rules set,
rather it employs a computational function to split data instances
(websites) into ‘‘genuine’’ and ‘‘non-genuine’’ categories. Their
model was tested against 21 600 websites from legitimate and
phishing sources such as Phishtank and DMOZ. They also compared
the generated results with that of Aburrous et al. [26] and Zhang
and Yuan (2008). It was discovered that their fuzzy NN model was
able to slightly enhance the phishing detection rate.
4.2.6. CANTINA term frequency inverse document frequency approach
Carnegie Mellon Anti-phishing and Network Analysis Tool
(CANTINA) is a content based anti-phishing method that deter-
mines suspicious websites using the statistical measure of Term
Frequency Inverse Document Frequency (TF–IDF). Term Frequency
(TF) is a statistical formula that measures keyword significance in
a document while Inverse Document Frequency (IDF) measures
the importance of that keyword across a large collection of docu-
ments [28]. CANTINA evaluates the website content (links, anchor
tags, forms tags, images, text, etc.) for TF–IDF to produce a lexical
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55 53

Table 2
Common anti-phishing methods based on ML.
Method name ML technique First Author Reference
Dynamic rule induction Rule induction learning Qabajeh Issa Qabajeh, et al. 2014
Enhanced dynamic rule induction Rule induction and covering Thabtah Fadi Thabtah et al. [29,30]
approaches
Classification based association AC Aburrous Maher Aburrous et al. [23,26]
Multi-label classifier based associative AC Abdelhamid Neda Abdelhamid et al. [18]
classification
Self-structuring neural network NN Mohammad Rami Mohammad et al. [25,32]
Neural network trained with NN Mohammad Rami Mohammad et al. [71]
back-propagation
Feed forward neural network NN Jameel Noor Ghazi Jameel and George [33]
Fuzzy DM Fuzzy logic Aburrous Maher Aburrous et al. [22]
Fuzzy DM Fuzzy logic Khadi Anindita Khadi and Shinde [4]
PILFER Decision tree Fette Ian Fette et al. [69]
Page classifier SVM Pan Ying Pan and Ding [74]
PDENF Fuzzy and clustering Almomani, Ammar Almomani et al. [14,17]
CANTINA Term frequency and inverse document Sanglerdsinlapachai Nuttapong Sanglerdsinlapachai and Rungsawang [75]
frequency
Biased SVM, LIBSVM, ANN, self-organising NN, SVM and other ML techniques Basnet Ram Basnet et al. [15]
map

signature of the website. This signature (top ranked TF–IDF key
words) will be passed into the search engine to seek their rank in
domain names and decide the type of the website. The description
of the CANTINA based classification process is as follows:
1. Parse the webpage.
2. Compute the TF–IDF for the common terms of the website.
3. Select the top five terms according to the computed scores
of all TF–IDF terms.
4. Add the top five terms to the URL to locate the lexical
signature.
5. Input the lexical signature into a search engine.
6. Check whether the domain name of the current website
matches the domain names of the top N search results (often
N = 30).
7. Return ‘‘Legitimate’’ when there is a match or ‘‘Phishy’’ when
there is no match.
When the search results in an empty set, the current website is
classified as ‘‘phishy’’. To overcome the ‘‘no results’’ problem the
authors merged TF–IDF with other content features such as ‘‘IP
Address’’, ‘‘domain age’’. ‘‘suspicious Images’’, ‘‘suspicious Link’’,
and ‘‘suspicious URL’’.
Sanglerdsinlapachai and Rungsawang [75] have used CANTINA
TF–IDF, and added a few more features such as ‘‘Forms’’ and ‘‘Top
pages’’ similarity linked with the domain’’, and removed features
such as ‘‘domain age’’ and ‘‘known images’’. A dataset consisting of
200 websites was used in the experiments, and three DM methods
were applied to the dataset. Results obtained, despite being lim-
ited, revealed that the reduced features set maintained a similar
detection rate with that of the CANTINA features set. Moreover,
adding the new features slightly enhanced the detection rate for
most of the learning methods considered in the experiments.
Table 2 shows a brief summary of the common anti-phishing
approaches that are based on automated learning along with the
name of the method, the learning approached used, the first author,
and their reference details.
5. Conclusions
Website phishing classification is a fundamental problem due
to the very large online transactions performed by businesses,
individuals and governments. While many users are vulnerable to
the phishing attacks, playing catch-up to the phishers’ evolving
strategies is not an option. There have been different approaches
to combat phishing ranging from legal, educational, simulation,
online community forums, black lists and machine learning among
others. Unlike existing phishing reviews that were based around
only intelligent techniques such as machine learning and data
mining this paper focuses on raising awareness and educating
users on phishing from training and legal prospective. This indeed
will equip individuals with knowledge and skills that may pre-
vent phishing on a wider context within the community. In this
paper, we review conventional anti-phishing approaches such as
law enforcement, user training, and education and then critically
analyses their different methods. Then the attention is directed
to review predictive ML method particularly rule-based methods,
decision trees, associative classification, SVM, NN, and computa-
tional intelligence. We contrast the ways these methods detect
phishing activities, their performance and their advantages and
disadvantages.
While many countries such as the USA have taken a lead to
criminalise phishing activities and put together more severe leg-
islations, it is still hard to find attackers basically since phishing
attacks have a short life span. Despite this limitation, it is still
crucial that law enforcement agencies improve their information
sharing work as well as jurisdiction. Moreover, educating novice
users using visual cues can partly improve their abilities to detect
phishing; however, many novice users still not paying high atten-
tion to visual cues when browsing the internet which make them
vulnerable to phishing attacks. Users need to be exposed to repet-
itive training about phishing attacks since phishers continuously
change the deception tactics.
Online phishing communities gather data that allow users to
share information about phishing attacks such blacklisted URLs,
which is useful information centre for users. However, this ap-
proach necessitates good awareness about web security indicators
besides blacklisted URLs become outdated as updates are not per-
formed in real-time.
Finally, anti-phishing methods based around ML especially AC
and rule induction are suitable to combat phishing due to their high
detection rate and more importantly the easy to understand out-
comes they offer (If-Then rules). These rules empower novice users
as well as security experts to understand and manage security
indicators. However, adding a visualisation layer into ML learning
methods is advantageous to novice users as they may react quickly
to visual cues.
In near future we are intend to design and implement a knowl-
edge base using rule induction that can on real time warns online
users of any possibility of phishing attacks.
References
[1] N. Abdelhamid, F. Thabtah, Associative classification approaches: Review and
comparison, J. Inf. Knowl. Manage. (JIKM) 13 (3) (2014) 1450027.
54 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
[2] S. Sheng, M. Holbrook, N.A.G. Arachchilage, L. Cranor, J. Downs, Who falls for
phish?: a demographic analysis of phishing susceptibility and effectiveness of
interventions, in: CHI ’10 Proceedings of the 28th International Conference on
Human Factors in Computing Systems, ACM, New York, NY, USA, 2010.
[3] N. Abdehamid, Multi-label rules for phishing classification, Appl. Comput. Inf.
11 (1) (2015) 29–46.
[4] A. Khadi, S. Shinde, Detection of phishing websites using data mining tech-
niques, Int. J. Eng. Res. Technol. 2 (12) (2014).
[5] Afroz, R. Greenstadt, PhishZoo: Detecting phishing websites by looking at
them, in: Fifth International Conference on Semantic Computing (September
18 –September 21), IEEE, Palo Alto, California USA, 2011.
[6] L.A.T. Nguyen, B.L. To, H.K. Nguyen, An efficient approach for phishing detec-
tion using neuro-fuzzy model, J. Autom. Control Eng. 3 (6) (2015).
[7] McCall, Gartner, Inc. 2011. http://www.gartner.com/newsroom/id/565125
[Accessed 05.06.16].
[8] D. Jevans, Anti-Phishing Working Group (APWG): http://www.antiphishing.
org/ [Accessed 20.06.16], 2003.
[9] G. Aaron, R. Manning, APWG Phishing Reports, 2014. http://docs.apwg.org/
reports/apwg_trends_report_q4_2014.pdf [Accessed 20.03.16].
[10] V. Suganya, A review on phishing attacks and various anti phishing techniques,
Int. J. Comput. Appl. (0975–8887) 139 (1) (2016) 20–23.
[11] R. Mohammad, F. Thabtah, L. McCluskey, Tutorial and critical analysis of
phishing websites methods, Comput. Sci. Rev. J. 17 (2015) 1–24. Elsevier.
[12] R. Mohammad, F. Thabtah, L. McCluskey, Phishing websites dataset. 2015,
Available: https://archive.ics.uci.edu/ml/datasets/Phishing+Websites Accessed
January 2016.
[13] K.R. Sahu, J. Dubey, A Survey on phishign attacks, Int. J. Comput. Appl. (0975–
8887) 88 (10) (2014) 42–45.
[14] A. Almomani, B.B. Gupta, S. Atawneh, A. Meulenberg, E. Almomani, A survey of
phishing email filtering techniques, IEEE Commun. Surv. Tutor. 15 (4) (2013)
2070–2090.
[15] R. Basnet, S. Mukkamala, A.H. Sung, Detection of phishing attacks: A machine
learning approach, Soft Comput. Appl. Ind. (2008) 373–383.
[16] B.B. Gupta, N.A.G. Arachchilage, K.E. Psannis, Defending against phishing at-
tacks: taxonomy of methods, current issues and future directions, Telecom-
mun. Syst. 2017 (2017) 1–21.
[17] A. Almomani, B.B. Gupta, TC. Wan, A. Altaher, S. Manickam, Phishing dynamic
evolving neural fuzzy framework for online detection zero-day phishing email.
2013. arXiv preprint arXiv:1302.0629(2013).
[18] N. Abdelhamid, F. Thabtah, A. Ayesh, Phishing detection based associative
classification data mining, Expert Syst. Appl. J. 41 (2014) 5948–5959.
[19] B.B. Gupta, A. Tewari, AK. Jain, D.P. Agrawal, Fighting against phishing attacks:
state of the art and future challenges, 2017.
[20] M. Rader, S. Rahman, Exploring historical and emerging phishing techniques
and mitigating the associated security risks, Int. J. Netw. Secur. Appl. (IJNSA)
5 (4) (2015). http://dx.doi.org/10.5121/ijnsa.2013.540223. July 2013.
[21] McFredies, P (n.d.) Phishing. 2016. http://www.wordspy.com/words/phishing.
asp [Accessed 15.05.16].
[22] M. Aburrous, A. Hossain, K. Dahal, F. Thabtah, Intelligent quality performance
assessment for E-Banking security using fuzzy logic, in: Proceedings of the
7th IEEE International Conference on Information Technology (ITNG 2008). Las
Vegas, USA, 2008.
[23] M. Aburrous, M. Hossain, K.P. Dahal, F. Thabtah, Associative Classification
techniques for predicting e-banking phishing websites, in: Proceedings of the
2010 International Conference on Information Technology, Las Vegas, Nevada,
USA, 2010, pp. 176–181.
[24] I. Qabajeh, F. Thabtah, F. Chiclana, Dynamic classification rules data mining
method, J. Manage. Anal. 2 (3) (2015) 233–253. Wiley.
[25] R. Mohammad, F. Thabtah, L. McCluskey, Intelligent rule based phishing web-
sites classification, J. Inf. Secur. (ISSN: 17518709) (2) (2014) 1–17. IET.
[26] M. Aburrous, M. Hossain, K.P. Dahal, F. Thabtah, Experimental case studies
for investigating e-banking phishing techniques and attack strategies, J. Cogn.
Comput. 2 (3) (2010) 242–253. Springer Verlag.
[27] PhishTank, 2011. PhishTank. http://www.phishtank.com/ [Accessed 16.01.16].
[28] I.H. Witten, E. Frank, Data Mining: Practical Machine Learning Tools and
Techniques, 2005.
[29] F. Thabtah, R. Mohammad, L. McCluskey, A dynamic self-structuring neural
network model to combat phishing, in: The Proceedings of the 2016 IEEE
World Congress on Computational Intelligence. Vancover, Canada, 2016.
[30] F. Thabtah, I. Qabajeh, F. Chiclana, Constrained dynamic rule induction learn-
ing, Expert Syst. Appl. 63 (2016) 74–85.
[31] J. Lee, L. Bauer, L.M. Mazurek, The effectiveness of security images in internet
banking, IEEE Internet Comput. 19 (1) (2015) 54–62.
[32] R. Mohammad, F. Thabtah, L. McCluskey, Predicting phishing websites based
on self-structuring neural network, J. Neural Comput. Appl. (ISSN: 0941-0643)
25 (2) (2014) 443–458. Springer.
[33] N.Gh. Jameel, L. George, Detection of phishing emails using feed forward neural
network, J. Comput. Appl. 77 (7) (2013) 10–15.
[34] Information Week (n.d.), 2016. http://www.informationweek.com/california-
enacts-tough-anti-phishing-law-/d/d-id/1036636? [Accessed 17.03.16].
[35] General Assembly of Virginia, 2005. CHAPTER 827. http://leg1.state.va.us/cgi-
bin/legp504.exe?051+ful+CHAP0827 [Accessed 01.04.16].
[36] G.H. Pike, Lost data: The legal challenges, Inf. Today 23 (10) (2006) 1–3.
[37] Executive-Order-13402, 2006. Executive Order 13402. http://www.gpo.gov/
fdsys/pkg/FR-2006-05-15/pdf/06-4552.pdf [Accessed 19.05.16].
[38] BBC News, 2005. http://news.bbc.co.uk/2/hi/uk_news/england/lancashire/43
96914.stm [Accessed 11.04.16].
[39] Government of Australia, Hackers, Fraudsters and Botnets: Tackling the Prob-
lem of Cyber Crime. Report on Inquiry into Cyber Crime, 2011.
[40] ClickDimensions, 2014. www.clickdimensions.com/sites/default/files/PDF/W
hitePaper-CASL.pdf [Accessed 12.05.16].
[41] S.D. Julie, H. Mandy, L.F. Cranor, Behavioral response to phishing risk, in: The
Anti-Phishing Working Groups, 2nd Annual ECrime Researchers Summite,
Crime ’07, ACM, New York, NY, USA, 2007.
[42] N.A.G. Arachchilage, S. Love, A game design framework for avoiding phishing
attacks, Comput. Hum. Behav. 29 (3) (2013) 706–714.
[43] N.A.G. Arachchilage, M. Cole, Design a mobile game for home computer users
to prevent from phishing attacks, in: 2011 International Conference on Infor-
mation Society (i-Society), 2011, pp. 485–489.
[44] N.A.G. Arachchilage, Y. Rhee, S. Sheng, S.H. Hasan, A. Acquisti, L.F. Cranor, J.
Hong, Getting users to pay attention to anti-phishing education: evaluation
of retention and transfer, in: ECrime ’07 Proceedings of the Anti-Phishing
Working Groups 2nd Annual ECrime Researchers Summit, ACM, Pittsburgh,
PA, USA, 2007.
[45] D.J.C. Ronald, C. Curtis, F.J. Aaron, Phishing for user security awareness,
Comput. Secur. 26 (1) (2007) 73–80.
[46] M. Bright, MillerSmiles. 2011, [Online] Available at: http://www.millersmiles.
co.uk/ [Accessed 09.01.16].
[47] B. Nahorney, The MessageLabs Intelligence Annual Security Report: 2009
Security Year in Review. 2015. http://www.symantec.com/content/en/us/
enterprise/other_resources/intelligence-report-06-2015.en-us.pdf [Accessed
09.06.16].
[48] Cloudmark Org. Cloudmark. 2002. http://www.cloudmark.com/en/home [Ac-
cessed 10.02.16].
[49] WOT, Web of Trust. 2006. http://www.mywot.com/ [Accessed 24.03.16].
[50] Google Safe-Browsing, 2010. Google Safe Browsing. http://code.google.com/p/
google-safe-browsing/ [Accessed 10.04.16].
[51] McAfee SiteAdvisor, 2006. McAfee SiteAdvisor. http://www.siteadvisor.com/
[Accessed 19 February 2016].
[52] Retun Path, 2016. https://blog.returnpath.com/blacklist-basics-the-top-email
-blacklists-you-need-to-know-v2/ [Accessed 22.03.16].
[53] J. Chen, C. Guo, Online detection and prevention of phishing attacks (Invited
Paper), in: First International Conference on Communications and Networking
in China, ChinaCom ’06, IEEE, Beijing, 2006.
[54] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, I. Witten, The WEKA
data mining software: An update, SIGKDD Explor. 11 (1) (2009).
[55] H. Liu, R. Setiono, Chi2: Feature selection and discretization of numeric at-
tribute, in: Proceedings of the Seventh IEEE International Conference on Tools
with Artificial Intelligence, November 5–8, 1995, p. 388.
[56] J. Quinlan, C4.5: Programs for Machine Learning, Morgan Kaufmann, San
Mateo, CA, 1993.
[57] R.O. Duda, P.E. Hart, Pattern Classification and Scene Analysis, John Wiley &
Sons, New York, 1973.
[58] B. Liu, W. Hsu, Y. Ma, Integrating classification and association rule mining, in:
Proceedings of the Knowledge Discovery and Data Mining Conference- KDD,
1998, pp. 80–86. New York.
[59] W. Li, J. Han, J. Pei, 2001 CMAR: Accurate and efficient classification based
on multiple-class association rule, in: Proceedings of the IEEE International
Conference on Data Mining-ICDM, pp. 369–376.
[60] F. Thabtah, P. Cowling, Y. Peng, MCAR: Multi-class classification based on asso-
ciation rule approach, in: Proceedings of the 3rd IEEE International Conference
on Computer Systems and Applications, 2005, pp. 1–7.
[61] W.W. Cohen, Fast effective rule induction, in: Proceedings of the Twelfth
International Conference on Machine Learning, Morgan Kaufmann, Tahoe City,
California, 1995.
[62] J. Cendrowska, PRISM: An algorithm for inducing modular rules, Int. J. Man-
Mach. Stud. 27 (4) (1987) 349–370.
[63] Grossberg, Nonlinear neural networks: Principles, mechanisms, and architec-
tures, Neural Netw. 1 (1) (1988) 17–61.
[64] H. Joachims, Making Large-Scale Support Vector Machine Learning Practical,
Advances in Kernel Methods: Support Vector Learning, MIT Press, Cambridge,
MA, 1999.
[65] J. Platt, Fast training of SVM using sequential optimization, in: B. Scholkopf, C.
Burges, A. Smola (Eds.), Advances in Kernel Methods–Support Vector Learning,
MIT Press, Cambridge, 1998, pp. 185–208.
[66] L.A. Zadeh, ‘‘Fuzzy Sets,’’ Information and Control 8 (3) (1965) 338–353. http:
//dx.doi.org/10.1016/S0019-9958(65)90241-X.
[67] Y. Freund, R.E. Schapire, A decision-theoretic generalization of on-line learning
and an application to boosting, J. Comput. Syst. Sci. 55 (1) (1997) 119–139.
 I. Qabajeh et al. / Computer Science Review 29 (2018) 44–55
[68] E. Goldberg, Genetic Algorithms in Search, Optimization, and Machine Learn-
ing, MA: Addison Wesley., 1989.
[69] I. Fette, N. Sadeh, A. Tomasic, Learning to detect phishing emails, in: Proceed-
ings of the 16th international conference on World Wide Web. 2007, pp. 649–
656.
[70] David E. Rumelhart, Geoffrey E. Hinton, Ronald J. Williams, Learning represen-
tations by back-propagating errors, Nature 323 (6088) (1986) 533–536.
[71] R.M. Mohammad, F. Thabtah, L. McCluskey, Predicting phishing websites using
neural network trained with back-propagation, in: World Congress in Com-
puter Science, Computer Engineering, and Applied Computing, Las Vigas, 2013,
pp. 682–686.
55
[72] J. Seymour, P. Tully, Generative Models for Spear Phishing Posts on SocialMe-
dia. Technical report, 2018.
[73] S. Abu-Nimeh, D. Nappa, X. Wang, Nair, A comparison of machine learning
techniques for phishing detection, in: The 2nd Annual Anti-Phishing Working
Groupse Crime Researchers, eCrime ’07, ACM, New York, NY, USA, 2007.
[74] Y. Pan, X. Ding, Anomaly based web phishing page detection, in: The 22nd
Annual Computer Security Applications Conference, (ACSAC), IEEE, Miami
Beach, Florida, USA, 2006.
[75] N. Sanglerdsinlapachai, A. Rungsawang, Using domain top-page similarity
feature in machine learning-based web, in: Third International Conference on
Knowledge Discovery and Data Mining, IEEE, 2010.